Académique Documents
Professionnel Documents
Culture Documents
By Chris McCormack, Product Marketing Manager There are a lot of misconceptions out there about safe web browsing. You might think you're being safe. But without the facts its next to impossible to stay protected against todays changing threats. In this paper we describe the top five myths of safe web browsing, what the facts really are, and what you can do to stay secure.
1. Myth: A strict browsing policy that only lets users visit trusted sites keeps us safe
Fact: Every site presents a risk. Theres no such thing as a trusted site anymore. And to make matters worse, anonymizing proxies make it easy for users to bypass most web policies. The full story: Web threats are no longer the domain of the dark corners of the web such as adult and gambling sites. Hackers have long since moved on to target more mainstream, popular, trusted sites to distribute malware and infect victims. In fact, 80% of infected websites are legitimate trusted sites.1 So while blocking inappropriate sites is important from an acceptable-use policy perspective and to reduce your risk surface area, its not an effective security measure on its own. In addition, you should be aware that anonymizing proxy sites make it easy for users to bypass web filtering policies. What you can do: In addition to a URL filtering solution, you also need to make sure you have advanced web malware detection to scan all website content as its accessed. This will catch the latest threats, on any site, before it can become a problem. You also need to have anonymizing proxy protection in your web security solution. Ideally, the kind that can detect anonymizing proxy abuse in real time and stop rogue users dead in their tracks.
1 Websense research report: Security Pros & "Cons", http://www.websense.com/assets/reports/security-pros-and-cons-research-report.pdf
Figure 1: Hackers commonly exploit websites by embedding malicious code using techniques like SQL injection or cross-site scripting.
What you can do: Make sure you have advanced multi-layered web protection to provide a coordinated defense. It must include essential URL filtering, but also scan all downloaded website content as its accessed. It must be able to deobfuscate and emulate JavaScript in real time to detect any suspicious behavior. Dont rely on signature-based malware detectionits completely ineffective at protecting your organization from modern web threats.
A Sophos Whitepaper April 2012 3
3. Myth: Using a secure browser like Google Chrome offers better protection
Fact: Even though Chrome is considered among the most secure, every browser has new vulnerabilities all the time. Hackers are constantly testing new exploits, and the best ones are the ones we havent heard about. The full story: Chrome is widely considered among the most secure browsers available today, a reputation that Firefox once had. But we wouldnt recommend putting your security on the line based on reputation. In fact, hackers have exposed vulnerabilities in the browser, proving Chrome isnt impenetrable.2 Its the vulnerabilities we havent heard about that should concern you the most. Its not surprising that as a browser like Chrome becomes more popular with users, it also becomes more of a target to hackers. Hackers make money from exploiting vulnerabilities and infecting systems. So more people using a given browser means more opportunity for the hackers.
Source: https://twitter.com/#!/pwn2own_contest
Figure 2: Chrome is vulnerable to exploits like any other browser. A competitor at the annual Pwn2Own conference managed to hack Chrome in just five minutes.
What you can do: All of todays browsers represent a security risk, but there are a few steps you can take to improve your chances of avoiding infection. First, use application control to limit the number of browsers supported in your organization to as few as possible. Keep those supported browsers fully patched at all times with a vulnerability management solution. This will keep your risk surface area to a minimum. Finally, make sure you have advanced web malware detection at work that can stop threats in real time, no matter what browser youre using.
2 Naked Security blog, http://nakedsecurity.sophos.com/2012/03/08/chrome-pw2own-vulnerabilit/
Figure 3: Numerous types of Mac OS X specific threats are detected daily by SophosLabs.
What you can do: If you havent already, deploy a Mac antivirus solution. Ideally, your solution should be lightweight and easy to manage alongside your other platforms. It should be backed by a global threat analysis labs operation that actively monitors Mac threats. Make sure your Mac applications and add-ons are fully patched and up to date at all times to reduce the number of potential vulnerabilities.
5. Myth: The only way to protect offsite users is with a VPN or cloud service
Fact: That used to be true, but not anymore. The full story: In the past, you had to redirect your users web surfing through a cloud service or back through your secure web gateway with a VPN connection to keep them secure. As you probably know, this can be terribly complex, expensive, and full of problems like latency, loss of localization, and bandwidth consumption. The good news is, there is a better way. Integrating web policy enforcement and web content scanning directly into the network layer on your laptops is by far the most effective, efficient, scalable, and affordable way to stay protected on the web wherever users go. What you can do: Adopt a web protection solution that integrates web security directly into the endpoint on all your laptopskeeping your road warriors, remote workers, and other offsite users safe wherever they happen to be. Youll keep users secure while still having complete visibility and policy control over users everywhere they go.
Policy
Endpoints End-points Web Administrator Web Administrator
(secure connection)
Reporting Data
LiveConnect enables instant policy and reporting updates everywhere users go by seamlessly connecting your endpoints and management console through the cloud.
Figure 4: You need web protection that provides your offsite users direct access to the web while still allowing you to update policy or view activity as if they were right in the office.
Australia & New Zealand Sales: Tel: +61 2 9409 9100 Email: sales@sophos.com.au
Boston, USA | Oxford, UK Copyright 2012. Sophos Ltd. All rights reserved. All trademarks are the property of their respective owners. A Sophos Whitepaper 4.12v1.dNA